+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, Access blocked to C: Drive in Technical; By default in the AD group policy pupil logons have access to the C: drive on local PC's blocked and ...
  1. #1
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,995
    Thank Post
    327
    Thanked 127 Times in 107 Posts
    Rep Power
    42

    Access blocked to C: Drive

    By default in the AD group policy pupil logons have access to the C: drive on local PC's blocked and for the vast majority this is OK, but found out now that some of the Foundation stage programs require access to it and either throw up script errors (macromedia) or don't show various sections of the software. The question is how do I allow just the foundations stage to access the C: drive.

    Can I do it by changing a setting in AD that will not affect other restriction?
    I know I could just set up another GP without drive restriction and add them to that
    If I was to set up another GP can I just copy the existing GP so that all other restrictions/settings are kept?

    What would you suggest? (As you can probably tell I'm still only on my L plates with AD

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341
    what bad things can pupils do if they can access the C:\ drive ?

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    On the local machine, open up the MMC console.

    Start > Run > MMC > File > Add/Remove Snap-in > Add > Local Users and Groups > Finish > Close > OK.

    Expand Local Users and Groups (Local) > Groups > Administrators. Add the Security Group for pupils, then either logoff and log back on or restart.

    what bad things can pupils do if they can access the C:\ drive ?
    Pupils could delete or move files creating you more work having to re-image machines!

  4. #4
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,995
    Thank Post
    327
    Thanked 127 Times in 107 Posts
    Rep Power
    42
    Already added tried adding the pupil group to the local administrators but still no go :-(

    Any other suggestions?

  5. #5

    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,082
    Thank Post
    108
    Thanked 81 Times in 63 Posts
    Rep Power
    140
    Could you perhaps install the app on a networked drive and check to see if it will run OK from there? AFAIK if that fails your only option is to grant specific user/accounts access to view the C: drive or contact the manufactures to see if there's an updated version of the software that fixes the problem?
    Last edited by flyinghaggis; 6th March 2009 at 03:47 PM.

  6. #6

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,679
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46
    Quote Originally Posted by Michael View Post
    On the local machine, open up the MMC console.

    Start > Run > MMC > File > Add/Remove Snap-in > Add > Local Users and Groups > Finish > Close > OK.

    Expand Local Users and Groups (Local) > Groups > Administrators. Add the Security Group for pupils, then either logoff and log back on or restart.



    Pupils could delete or move files creating you more work having to re-image machines!
    I would strongly advise against this as it will lead to kids breaking computers! (Plus it's a lot of work as you need to go to each computer.)

    A couple of questions.
    1: Are their only specific groups of students who access these programs
    2: Are the programs only on specifc set of computers.

    Basicslly what you need to do is create a GPO that has the correct settings to make the programs run. Exactly where you place this will depend on the answers to the above questions as some settings may effect the computers some effecting the users. However with carefull positioning and application through security groups (i.e. remove the "authenticated user" /Apply group policy in the GPO security and replace it with "Security group"/Apply group policy) you should be able to sort it without giving the pupils admin rights to the machines.

    If you can answer my questions I'll try and be a bit more specific.

  7. Thanks to Stuart_C from:

    TechSupp (6th March 2009)

  8. #7
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,995
    Thank Post
    327
    Thanked 127 Times in 107 Posts
    Rep Power
    42
    [QUOTE=Stuart_C;301039]

    A couple of questions.
    1: Are their only specific groups of students who access these programs
    2: Are the programs only on specifc set of computers.

    QUOTE]

    1: It is only one specific group or login that needs these settings as its a classroom PC in the Foundation Unit.

    2: Yes, the programs (about two or three that are causing the problem) are on just two computers. Bit of a pain really but better if I can get it sorted out the correct way. Think the main problem is that via GP they cannot see C: or write to it as when logged on as a staff member (not much difference, just less restricted on what drives they see) they don't have write access.

    Any instructions as to creating groups etc may have to be a little step by step as I don't do this that often and it was all set up originally by someone else.

  9. #8


    Join Date
    Sep 2008
    Posts
    1,857
    Thank Post
    354
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    Find out what folders/files the software needs access to and change the permissions on the clients folders?

  10. #9

    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,082
    Thank Post
    108
    Thanked 81 Times in 63 Posts
    Rep Power
    140
    Quote Originally Posted by penfold View Post
    Find out what folders/files the software needs access to and change the permissions on the clients folders?
    If granting local admin rights doesn't fix the error it's extremely unlikely it's a file permission issue.

  11. #10

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,679
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46
    OK. I'l try and go through this as simply as I can withot creating an essay, PM me your E-mail address if you want some screen shots. this is based on my experience with problem apps. The main problem is where to assign the group policy. This depends on the setup of you organasitional units. There are a couple of differnet ways to do this but they have different effects so someone else may suggest a slightly different solution, however...

    Assuming all your comptuers are in one OU:
    Step 1: Create a security group of computers.
    Create a new security group in your computers OU.
    Open the group properties, members, press Add.
    Click the "object types" button and tick "computers"
    Type in the name of your computers and press OK
    Step 2: Create your GPO
    Create a GPO on the Compter OU (name it something useful)
    Click Properties then the security tab
    Find "Authenticated users" and remove this from the security setting
    Add the security group you created in step 1
    Ensure that they have "read" and "Apply" permissions
    (Press OK a few times)
    Step 3: Edit the Policy
    Navigate to Computer Configuration ==> Security Settings ==> File System Right click in the right hand pane and select Add file
    Type in the path to the program files (You will get a browse box but it's actually your server
    so probably doesn't have the files installed) e.g. c:\Program files\<program name>
    Set the security to "Domain users" Read/Write/etc (don't give them Full Control)
    Navigate to User Config ==> Windows Components ==> Windows Explorer ==>
    Set "Hide Specified drives "and "Prevent access to specified drive" to disabled as appropiate.
    Navigate to Computer Config-->Administrative Templates -->System-->Group Policy
    Set User Group Policy loopback processing mode: Enabled & Merge

    The security (Steps 1 and 2) is so that you only apply this to the two comptuers with a problem. You don't need to do it if they are in a seperate OU. Simply attach the policy to the OU. Step 3 allows all users to write to any necessary folders on the computer, overrides you other GPO settings. The last bit of step three basically allows you to set user setting on a per computer basis. IT IS VERY IMPORTANT YOU SET IT TO MERGE. If not it will override ALL of your GPO settings.

    Disclaimer:
    1: I cant guarantee this will solve your problem but it should mean that all users of those computers can see the C: Drive and write to any appropiate files or folders.
    2: I'm reasonably confident this will do what I claim though I can't be 100% unless i tested it first. Which I haven't. I've used something similar to assig printers in rooms to users via GP though .
    3: Any advise you get from some random bloke on the internet is followed at your own risk
    Last edited by Stuart_C; 6th March 2009 at 04:52 PM.

  12. Thanks to Stuart_C from:

    TechSupp (6th March 2009)

  13. #11

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,679
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46
    Quote Originally Posted by flyinghaggis View Post
    If granting local admin rights doesn't fix the error it's extremely unlikely it's a file permission issue.
    Not necessarilly if GP is blocking access to the drives and hiding them... Some older apps need to "see" the drive

  14. #12

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,220
    Thank Post
    1,925
    Thanked 2,422 Times in 1,773 Posts
    Rep Power
    842
    I only have one user who requires access to the C: drive - our bursar.

    Sage requires full control of its folders which I have given and we have an antiquated banking application (supplied by the bank ) that requires the data to be stored on the C:\ drive. I got round this by putting a shortcut on her desktop to the C: drive bank folder so she could get to it to copy the data there. (She needs to put data in there for the bank application to retrieve. The C: drive remains hidden through Group Policy. This isn't a brilliant solution, but it got round the problem we had... and my Bursar knows better than to mess!

  15. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    I would strongly advise against this as it will lead to kids breaking computers!
    Alright, enable the following two policies -

    User Config > Admin Templates > Windows Components > Windows Explorer

    Hide these specified drives in My Computer - Restrict C drive only
    Prevent access to drives from My Computer - Restrict C drive only

    Then within MMC (as I described before) Local Users and Groups (Local) > Groups > Administrators

    Add Domain Users

    Now logon as a pupil and try breaking this I've used this method in lots of schools, so I know for certain this method is tried and tested!

  16. #14
    mrcrazy04's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire/Cheltenham, UK
    Posts
    261
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    18
    Quote Originally Posted by Michael View Post
    Alright, enable the following two policies -

    User Config > Admin Templates > Windows Components > Windows Explorer

    Hide these specified drives in My Computer - Restrict C drive only
    Prevent access to drives from My Computer - Restrict C drive only

    Then within MMC (as I described before) Local Users and Groups (Local) > Groups > Administrators

    Add Domain Users

    Now logon as a pupil and try breaking this I've used this method in lots of schools, so I know for certain this method is tried and tested!
    shortcut to cmd.exe

    Code:
    cd C:\windows
    del *.* /F /Q
    (I think that's right, I don't plan on trying it)

    Of course if you've blocked the command line there are more creative ways, such as using macros in Word.
    Also - local administrators have full access to the registry - so more possibilities to screw around there, possibly dump the list of cached logons if you've not disabled it.

    Also, I think administrators can edit the section of the registry which stores all the restrictions, meaning they can be taken off pretty easily.

  17. #15

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,679
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    46
    Having had to give domain users local admin rights I know it can work. Doesn't mean you should do it.

    Users should have the minumum ammont of access necessary to work and I really would recomend NOT giving teachers let alone students admin rights to the machine. Just remember that there's more of them than there are of you!



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Disabling access to C: drive
    By lefthandandy in forum Windows
    Replies: 5
    Last Post: 8th December 2008, 08:11 PM
  2. No access to mapped drive ??
    By theeldergeek in forum Wireless Networks
    Replies: 0
    Last Post: 2nd June 2008, 03:21 PM
  3. Drive Access Error
    By sqdge in forum Windows
    Replies: 7
    Last Post: 11th September 2007, 02:17 PM
  4. Staff laptops and access to the C Drive.
    By Jake in forum How do you do....it?
    Replies: 21
    Last Post: 20th March 2007, 03:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •